Introduction. This is the second in a series of McConnell International articles on the Comprehensive National Cyber Security Initiative (CNCI).  The first of these provided an overview of the program to include an enumeration of the twelve component programs that comprise the initial phase of the effort.  This article will focus on one of these projects– the IT supply chain risk management program that is being developed to address this issue.  Private sector entities that sell information technology (IT) products to federal agencies should monitor this program closely as it may impact the future procurement process for hardware and software components purchased by federal agencies.

Background. Government security agencies have long been concerned about the ability of a foreign intelligence service to introduce security weaknesses or exploitable vulnerabilities (sometimes referred to trap doors) into IT products used by government agencies or incorporated into military weapons systems.  For example, in 1984, the US government discovered that many of the electric typewriters used to prepared classified cables at the Moscow embassy had been modified by the Soviet intelligence service to capture keystrokes and subsequently broadcast this data to waiting Russian antennas. While this instance is not a very current example of the contemporary supply chain problem, it is illustrative of the potential threats to information technology products used by federal agencies.

Let’s fast-forward twenty-five years and look at the information technology environment from the government’s viewpoint.  The impact of globalization has resulted in significant amounts of IT hardware and software development, component manufacturing and product assembly being accomplished at overseas locations.  India and China are frequently cited prime examples of countries that have benefited from the globalization of the IT supply chain.  While the United States has enjoyed the benefits of cheap, high quality technology, many in the national security community worry about the vulnerabilities that result from this significant foreign involvement in the design, development and manufacture of computer hardware and software products used throughout the public and private sectors of the US economy, the critical infrastructure, the military and other government organizations.

The Cyber Initiative and the IT Supply Chain. Most observers agree that the Cyber Initiative was based upon the discovery of grave threats to US government networks and databases.  While these threats have many dimensions, one component of the Cyber Initiative focuses on supply chain related issues.  While this topic is under active consideration by various inter-agency groups, an early public manifestation of the government’s approach to dealing with this issue occurred recently over the subject of counterfeit chips.  The October 2, 2008, issue, of Business Week magazine carried a story about the growing threat to the US military resulting from the incorporation of counterfeit semiconductor chips into weapon systems and IT systems.  The article quotes a senior government official involved in the Cyber Initiative as stating, “Counterfeit products have been linked to the crash of mission-critical networks and may also contain hidden ‘back doors’ enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].”

On November 18, 2008, the Federal Register, contained an “Advanced Notice of Proposed Rule Making,”  that sought comments from the public and industry, “…on whether the Federal Acquisition Regulation (FAR) should be revised to include a requirement that contractors selling information technology (IT) products (including computer hardware and software) represent that such products are authentic.”   The deadline for written comments was set for January 20, 2009.  While no final decision has been made on this issue, it was apparent at a Product Authentication Workshop held at the National Institute of Standards and Technology on February 17, 2009, that there is significant sentiment within the government to adopt a procurement based strategy to deal in part with the supply chain issue.

It is anticipated that the government’s program to address the supply chain issue will not be limited to counterfeit chips, but will ultimately extend to the entire development and manufacturing process for semiconductor components and software products.  Some observers have speculated that INTEL’s recent announcement on February 11, 2009 of their intention to invest seven billion dollars in upgrading their domestic chip foundries could be another manifestation of the supply chain program.  Indeed INTEL’s CEO termed the project to be a “patriotic gesture”.

The DOD/DHS Software Assurance program has the potential for impacting vendor companies that sell software products to federal agencies.  The objective of this effort is to improve the quality of commercial software products.   It “… is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.” The program sponsors quarterly meetings of the Software Assurance Forum.  These are open public meetings that bring together representatives of the various constituencies involved in the software development process to discuss issue and development related to the goal of improving the security properties of commercial and open source software.  The next Forum meeting will be held between March 10-12 in McLean, Virginia. See: https://buildsecurityin.us-cert.gov/daisy/bsi/events/931-BSI.html, for additional details of this meeting.

Implications for IT Companies Selling Products to the US Government. Companies that sell IT hardware and software products to the federal government are encouraged to closely monitor this issue.  There are strong indications that the government will be adopting a procurement based strategy to move the vendor community in the direction of providing IT products with higher degrees of assurance for those components of the product that have been designed, coded, manufactured or assembled at overseas locations.  It is quite likely that the government will be interested in the security attributes of the supply chain process that companies employ to authenticate the hardware and software components that comprise the finished product.  It is not known at this time what specific requirements and mandates may be integrated into the Federal Acquisition Regulations.  Alternative elements could include, but are not limited to the following:  certifications of authentication, government mandated third party testing programs, description of vendor supply chain security programs, and other elements.  The first indication of the government’s direction will be the issuance of a proposed rule resulting from the November 2008 Federal Register notice dealing with counterfeit chips.